How to enable BitLocker device encryption on any Surface

The Windows 10 Fall Creators Update makes it easier to configure device encryption on all Surface devices — Here are the instructions.

Windows 10's BitLocker on Surface
Windows 10’s BitLocker on Surface

Whether you have a Surface Pro, Surface Book, or Surface Laptop, they all have at least one thing in common. They all are mobile devices that you can take everywhere. However, it also means that they can easily get lost or quickly stolen.

Although the hardware can always be replaced, one thing you may not be able to afford is your files, or your organization’s data, getting compromised. And this is when BitLocker can help.

On Windows 10, BitLocker is a security feature that protects your files using data encryption to prevent unauthorized access from hackers and prying eyes. BitLocker provides encryption for full drives and portable drives, and while it’s a feature that has been around for years, on Windows 10, it can even protect individual files with data loss protection.

In this guide, you’ll learn the easy steps to set up BitLocker on any Surface to help protect your data using the Settings app on Windows 10.

How to turn on BitLocker encryption on any Surface

All Surface devices features a Trusted Platform Module (TPM) that make it super easy to encrypt all your data.

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Device encryption.

  4. Click the Turn on button.

    Windows 10 device encryption
    Windows 10 device encryption

Once you’ve completed the steps, Microsoft’s BitLocker will provide encryption for the full drive, and moving forward all your new files will be encrypted.

At any time, you can disable BitLocker on your Surface Pro, Surface Book, or Surface Laptop with the same steps, but in this case the click the Turn off button in step No. 4.

Microsoft’s BitLocker details

After turning on drive encryption on your Surface, the only way to decrypt your files is by signing in to your device with your account password. If you ever forget your password, never try to use third-party recovery tools to reset your password, as you will lose access to files forever.

The Device Encryption option in the Settings is only available on devices with a Trusted Platform Module (TPM) version 1.2 or later starting with the Windows 10 Fall Creators Update.

The TPM is a chip installed inside your Surface and many newer computers. It works with BitLocker to help protect your data and to ensure that the device has not been tampered with while the system was offline.

In the case, you’re dealing with another kind of computer without a TPM chip, you can still use Windows 10’s BitLocker, but you’ll be required to use a USB drive with a startup key to start or resume from hibernation. Alternatively, it’s also possible to use a volume password to protect the partition that houses Windows 10. However, neither of these options provide system integrity verification offered on a device using TPM.

About the author

Mauro Huculak is a Windows expert and the Editor-in-Chief who started Pureinfotech in 2010 as an independent online publication. He's also been a Windows Central contributor for nearly a decade. Mauro has over 12 years of experience writing comprehensive guides and creating professional videos about Windows, software, and related technologies, including Android and Linux. Before becoming a technology writer, he was an IT administrator for seven years. In total, Mauro has over 20 years of combined experience in technology. Throughout his career, he achieved different professional certifications from Microsoft (MSCA), Cisco (CCNP), VMware (VCP), and CompTIA (A+ & Network+), and he has been recognized as a Microsoft MVP for many years. You can follow him on X (Twitter), YouTube, and LinkedIn.